LetsEncrypt SSL certificate creation failed for subdomain when transferring site

I am moving a website from server A to server B (Windows Server + IIS).

Server A has site.com and sub.site.com A-records pointing to IPs on server A. Now I am trying to keep the DNS on server A while pointing the A records to IPs on server B.

I managed to create site.com SSL certificate using LetsEncrypt win-acme client but sub.site.com fails with following output:

[INFO] Target generated using plugin IISBinding: sub.site.com
[WARN] First chance error calling into ACME server, retrying with new nonce...
[INFO] Authorize identifier: sub.site.com
[INFO] Authorizing sub.site.com using http-01 validation (SelfHosting)
[EROR] "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Invalid response from http://sub.site.com/.well-known/acme-challenge/<token> [server.a.ip]: \"<!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\">\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p\"", "status": 403 }
[EROR] Authorization result: invalid
[EROR] Create certificate failed: Authorization failed

It worked with site.com, what am I doing wrong?

I don't even know what that .well-known/acme-challenge directory is, there isn't one on my server (not for site.com root dir either).